Twitter hack spawns spam and scareware scams
DDoS campaign opens Pandora's Box
Spam and scams have continued to flow from the fallout of last week's DDoS against Twitter.
The attack, which took the micro-blogging service offline for around two hours on Thursday, and reduced service levels for a much longer time afterwards, (see here and here), also affected Facebook, LiveJournal and other sites. The intended target of the high profile attack (according to one popular, though disputed, theory) was Cyxymu, a pro-Georgian blogger. It was allegedly timed to coincide with the anniversary of the 2008 war between Georgia and Russia, over the separatist region of South Ossetia.
Miscreants have taken advantage of the new-found fame of Cyxymu to poison search engine indexes, so that searches for the term list sites harbouring scareware, McAfee warns. Sophos reports it detected a spam run following the attacks ostensibly containing an (ungrammatical) English language apology from Cyxymu. It's far more likely the supposed apology is nothing to do with Cyxymu and is designed to further irritate recipients and alienate the blogger, Sophos notes.
In interviews with The Guardian and CNN, Cyxymu, actually a 34 year-old economics lecturer from Tiblisi, the Georgian capital, blamed the denial of service attack that affected LiveJournal, Facebook and Twitter last week on the Kremlin. "Maybe it was carried out by ordinary hackers but I'm certain the order came from the Russian government," Cyxymu told The Guardian.
Meanwhile, more technical details are beginning to emerge about last week's attack. McAfee said a spam campaign referencing Cyxymu blogs and Twitter account and spoofed with false sender details began at 1300 BST, several hours before a DDoS attack against Twitter, Facebook et al. The Joe Job spam campaign and the later DDoS attack came (at least in part) from the same botnet of compromised machines, according to a blog post by McAfee.
In our analysis, the spam appears to have been distributed, at least partially, by the same botnet as the one that was used for the DDoS. Of the infected machines spreading the spam, 29 percent were located in Brazil, 9 percent in Turkey, and 8 percent in India.
We detected two distinct spam runs that began around 8 am EDT on Thursday, August 6 and started winding down around 11 am the same day, with the last messages being detected at 4 pm. Only the second spam run, the larger of the two, spoofed Cyxymu’s email address, while the first one randomized the senders’ email addresses.
DDoS mitigation experts Arbor Network said the DDoS attack traffic flowing last week began with a basic SYN Flood (the cyber equivalent of ringing a doorbell and running away) towards far more sophisticated attacks.
While "Joe Job" spam links may have comprised a significant portion of the attacks yesterday (as others have reported), [Arbor's] Observatory saw a range of additional attack vectors including TCP Syn, UDP flood, and Christmas Tree attacks.
The combined analysis from McAfee and Arbor suggests that Joe Job spam, spoofed to appear from Cyxymu and designed to discredit him, may have played some part in the lead up to the attack and might have placed some load on the referenced websites, but that the real damage was done later in a conventional DDoS attack. This attack increased in sophistication over time, a factor making it harder to repel, and came at least in part from the same botnet used to send the initial spam attack.
Neither analysis tells us much about who actually carried out the attack which, judging from previous high-profile DDoS campaigns, is likely to always remain something of a mystery. ®